sem: drive Starter SQL restrictions through SEM v2 config

[AmoebaProtozoa]

What problem does this PR solve?

Issue Number: ref #67765

Problem Summary:

The Starter deploy mode needs tighter SQL restrictions than stock TiDB: a set of
dangerous statements rejected outright, optimizer hints that would otherwise
sidestep SEM-hidden sysvars stripped, the managed admin accounts protected from
account/role changes, and pipelined DML disabled. Most of this is already
expressible through the existing config-driven SEM v2 mechanism, so this PR
extends SEM v2 with the few capabilities it was missing instead of adding a
parallel "strict" subsystem.

What changed and how does it work?

Every restriction is driven by the SEM v2 config (security.sem-config) and is
inert unless the config opts into it, so existing deployments are unaffected.

• Statement restrictions reuse the existing restricted_sql deny-list (sql
  matched on ast.SEMCommand(), plus named rules). ast.SEMCommand() already
  distinguishes every dangerous statement (BACKUP/RESTORE, placement policy,
  resource group, FLASHBACK CLUSTER, SET CONFIG, SPLIT REGION, the SHOW/ADMIN
  subtypes, ...), so the only new rule is exchange_partition for
  ALTER TABLE ... EXCHANGE PARTITION, which shares the generic ALTER TABLE
  command and cannot be matched by command string.
• New config-driven SEM v2 fields:
  • restricted_users / restricted_roles protect managed identities from
    DROP/RENAME USER and role changes (CheckRestrictedUserStmt), enforced
    in the planner ahead of the RESTRICTED_SQL_ADMIN bypass.
  • restricted_hints is a list of optimizer hint names stripped with a warning;
    a hint that overrides a system variable (e.g. memory_quota) is stripped only
    while that variable is SEM-hidden or read-only.
• Pipelined DML falls back to standard mode under the Starter deploy mode
  (deploymode.IsStarter()), independent of SEM.

Enforcement is gated by semv2.IsEnabled() (and deploymode.IsStarter() for the
pipelined-DML fallback), so classic builds and non-Starter deployments keep their
current behavior.

Check List

Tests

• Unit test
• Integration test
• Manual test
• No need to test

Side effects

• Performance regression: Consumes more CPU
• Performance regression: Consumes more Memory
• Breaking backward compatibility

Documentation

• Affects user behaviors
• Contains syntax changes
• Contains variable changes
• Contains experimental features
• Changes MySQL compatibility

Release note

None

[ti-chi-bot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a concurrency-safe strict SEM flag, implements strict Starter Edition Mode checks for statements and optimizer hints, integrates strict checks into planner and session (pipelined DML), wires strict enabling at server startup, and adds unit/integration tests and BUILD dependency updates.

Changes

Strict SEM Feature Implementation

Layer / File(s)	Summary
Strict SEM flag and statement core pkg/util/sem/v2/restricted_statement.go, pkg/util/sem/v2/restricted_statement_test.go	Introduces IsRestrictedStatement(stmt ast.Node) error, protected user/role lists, per-statement verifiers (DDL, SHOW, LOAD DATA, ADMIN, BRIE), and extensive tests validating allowed and rejected SQL under strict SEM.
Hint restrictions and tests pkg/util/sem/v2/restricted_hint.go, pkg/util/sem/v2/restricted_hint_test.go	Adds IsRestrictedHint(hintNameLower string) error that rejects specific optimizer hints when strict SEM is enabled and relevant sysvars are hidden/readonly; unit tests cover hidden/readonly/disabled cases.
Server init and strict flag wiring cmd/tidb-server/main.go	setupSEM() checks Starter deployment mode, selects semv2.Enable(cfg.Security.SEMConfig) vs sem.Enable(), logs when strict SEM is required but disabled, and calls semv2.EnableStrict() post-enable when appropriate.
Planner & optimizer integration pkg/planner/core/planbuilder.go, pkg/planner/optimize.go, pkg/planner/BUILD.bazel	checkSEMStmt() invokes semv2.IsStrictEnabled() + IsRestrictedStatement before prior SEM guards; filterRestrictedHints() removes semv2-restricted hints under strict SEM and appends warnings into sessVars.StmtCtx before parsing. BUILD deps updated.
Session-level execution control pkg/session/session.go, pkg/session/BUILD.bazel	usePipelinedDmlOrWarn() now forces pipelined DML off when semv2.IsStrictEnabled() and emits a warning; BUILD deps updated.
Integration test updates tests/realtikvtest/pipelineddmltest/pipelineddml_test.go, tests/realtikvtest/pipelineddmltest/BUILD.bazel	Test TestPipelinedDMLNegative enables strict SEM for the test, runs an INSERT, and asserts the pipelined-DML fallback warning; test BUILD gets new semv2 dep.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

ok-to-test, release-note-none

Suggested reviewers

• hawkingrei
• yudongusa
• nolouch
• winoros

Poem

🐰 I hop and guard the SEM so strict,
Hints and statements trimmed and picked,
Pipelined DML bowed to the rule,
Starter mode holds steady and cool,
—CodeRabbit, nibbling on a changelist.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 11.54% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title 'sem: drive Starter SQL restrictions through SEM v2 config' clearly summarizes the main change—extending SEM v2 with configuration-driven restrictions for Starter deployments.
Description check	✅ Passed	The PR description follows the template structure with all required sections present: problem statement with issue reference, detailed explanation of changes, and completed checklist.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tiprow]

Hi @AmoebaProtozoa. Thanks for your PR.

PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test all.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[pantheon-ai]

Review failed due to infrastructure/execution failure after retries. Please re-trigger review.

_{ℹ️ Learn more details on Pantheon AI.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/planner/optimize.go (1)

233-244: ⚠️ Potential issue | 🟡 Minor

Stripped-hint warnings may suppress the later "hints ignored, using bindSQL" notice.

originStmtHints is now parsed from the already-filtered hint list. If strict SEM strips every user hint, hint.ParseStmtHints will see len(hints) == 0 and set QueryHasHints = false, so the check at line 351 (if originStmtHints.QueryHasHints { ... "The system ignores the hints in the current query ..." }) will silently skip that note for queries whose only hints happened to be restricted. The user still gets a per-hint restricted warning, so this is minor, but worth a conscious decision: either compute QueryHasHints from the pre-filter slice, or accept the reduced note.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/planner/optimize.go` around lines 233 - 244, The current code parses
originStmtHints from the already-filtered tableHints so QueryHasHints can become
false if all user hints were stripped; to fix, preserve or inspect the
pre-filter hint slice when computing QueryHasHints: call hint.ParseStmtHints
using the original extracted hints (before filterRestrictedHints) or, after
parsing the filtered originStmtHints, explicitly set
originStmtHints.QueryHasHints = len(originalExtractedHints) > 0 (where
originalExtractedHints is the slice returned by
hint.ExtractTableHintsFromStmtNode before filterRestrictedHints). Ensure you
still append restrictedHintWarns to sessVars.StmtCtx and then assign
sessVars.StmtCtx.StmtHints = originStmtHints so downstream checks (e.g., the
QueryHasHints check) reflect whether the user actually provided hints before
filtering.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/tidb-server/main.go`:
- Around line 1165-1191: The current setupSEM enables classic sem (sem.Enable())
when SEMConfig is empty which leaves semv2 global state nil and makes
EnableStrictSEM ineffective; change setupSEM so EnableStrictSEM requires
cfg.Security.SEMConfig to be non-empty: if cfg.Security.SEMConfig == "" and
cfg.Security.EnableStrictSEM is true, log a clear warning (via
logutil.BgLogger().Warn) that strict SEM requires a semv2 config and
ignore/disable strict mode, then continue with classic sem; only call
semv2.EnableStrict() after successfully calling
semv2.Enable(cfg.Security.SEMConfig) (i.e., ensure semv2.Enable returned no
error and global semv2 state is initialized before calling semv2.EnableStrict())
and do not call semv2.EnableStrict() when semv2 was not enabled.

In `@pkg/planner/core/planbuilder.go`:
- Around line 6382-6389: The strict SEM check (semv2.IsStrictEnabled()) is being
executed before verifying SEM is enabled, causing strict mode to apply even when
SEM is disabled; update the logic so strict checks only run when
semv2.IsEnabled() is true (e.g., wrap the semv2.IsStrictEnabled() /
semv2.IsRestrictedStatement(stmt) block inside an if semv2.IsEnabled() { ... }
or change it to if semv2.IsEnabled() && semv2.IsStrictEnabled() { if err :=
semv2.IsRestrictedStatement(stmt); err != nil { return err } }).

In `@pkg/session/session.go`:
- Around line 5521-5524: Add a SQL-level test that enables strict SEM via
semv2.EnableStrict(), sets tidb_dml_type='bulk', executes a DML (e.g.,
INSERT/UPDATE) and asserts the presence of the warning text "Pipelined DML is
not supported in this deployment. Fallback to standard mode" using SHOW
WARNINGS; the test should exercise the usePipelinedDmlOrWarn code path (which
calls semv2.IsStrictEnabled()) and then disable strict mode after the test to
avoid global state leakage. Ensure the test file mirrors existing pipelined-DML
tests (e.g., pipelineddml_test.go) for setup/teardown and uses the same
assertion pattern for SHOW WARNINGS.

In `@pkg/util/sem/v2/restricted_hint.go`:
- Around line 30-31: The "resource_group" branch currently unconditionally
returns an error referencing strict SEM; update the branch in restricted_hint.go
(the case for "resource_group" in the switch handling hints) to follow the same
SEM-aware pattern as the other cases: either check IsStrictEnabled() (or the
same sysvar visibility helper used by
memory_quota/read_consistent_replica/max_execution_time) and only return the
"not supported when strict SEM is enabled" error when strict SEM is active, or
change the error text to a SEM-agnostic message that does not mention strict
SEM; pick one approach and apply it in the "resource_group" case so behavior and
messaging match the other hint checks.

---

Outside diff comments:
In `@pkg/planner/optimize.go`:
- Around line 233-244: The current code parses originStmtHints from the
already-filtered tableHints so QueryHasHints can become false if all user hints
were stripped; to fix, preserve or inspect the pre-filter hint slice when
computing QueryHasHints: call hint.ParseStmtHints using the original extracted
hints (before filterRestrictedHints) or, after parsing the filtered
originStmtHints, explicitly set originStmtHints.QueryHasHints =
len(originalExtractedHints) > 0 (where originalExtractedHints is the slice
returned by hint.ExtractTableHintsFromStmtNode before filterRestrictedHints).
Ensure you still append restrictedHintWarns to sessVars.StmtCtx and then assign
sessVars.StmtCtx.StmtHints = originStmtHints so downstream checks (e.g., the
QueryHasHints check) reflect whether the user actually provided hints before
filtering.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: eded8646-e4a3-40db-a5f7-b6b1b77d1b34

📥 Commits

Reviewing files that changed from the base of the PR and between 8121c82 and ef9fae6.

📒 Files selected for processing (13)

• cmd/tidb-server/main.go
• pkg/config/config.go
• pkg/planner/BUILD.bazel
• pkg/planner/core/planbuilder.go
• pkg/planner/optimize.go
• pkg/session/BUILD.bazel
• pkg/session/session.go
• pkg/util/sem/v2/BUILD.bazel
• pkg/util/sem/v2/restricted_hint.go
• pkg/util/sem/v2/restricted_hint_test.go
• pkg/util/sem/v2/restricted_statement.go
• pkg/util/sem/v2/restricted_statement_test.go
• pkg/util/sem/v2/strict.go

[codecov]

Codecov Report

❌ Patch coverage is 8.97436% with 142 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.2368%. Comparing base (9f09310) to head (be14e46).

Additional details and impacted files

@@               Coverage Diff                @@
##             master     #67945        +/-   ##
================================================
- Coverage   76.3152%   75.2368%   -1.0784%     
================================================
  Files          2041       2028        -13     
  Lines        563114     568087      +4973     
================================================
- Hits         429742     427411      -2331     
- Misses       132456     140633      +8177     
+ Partials        916         43       -873     

Flag	Coverage Δ
integration	41.2814% <8.9743%> (+1.5029%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
dumpling	60.4610% <ø> (ø)
parser	∅ <ø> (∅)
br	49.8023% <ø> (-13.0287%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign king-dylan for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS
• pkg/planner/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[AmoebaProtozoa]

/retest

[tiprow]

@AmoebaProtozoa: PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test.

Details

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/util/sem/v2/restricted_statement.go (1)

186-186: 💤 Low value

Dead code: AdminStmt case is unreachable.

AdminStmt is already handled directly in IsRestrictedStatement (line 94-95) before reaching verifySimple. Since AdminStmt is not in the case list at lines 102-108, this allowlist entry will never match.

♻️ Remove unreachable case

 case
     *ast.FlushStmt,
     *ast.BeginStmt,
     *ast.CommitStmt,
     *ast.SavepointStmt,
     *ast.ReleaseSavepointStmt,
     *ast.RollbackStmt,
     *ast.CreateUserStmt,
     *ast.AlterUserStmt,
     *ast.SetPwdStmt,
     *ast.SetSessionStatesStmt,
     *ast.KillStmt,
     *ast.BinlogStmt,
     *ast.DropStatsStmt,
-    *ast.AdminStmt,
     *ast.GrantStmt,
     *ast.RevokeStmt,
     *ast.NonTransactionalDMLStmt,
     *ast.UseStmt:
     return nil

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/util/sem/v2/restricted_statement.go` at line 186, The switch in
verifySimple contains an unreachable AdminStmt case because
IsRestrictedStatement already handles *ast.AdminStmt earlier; remove the
AdminStmt entry from the case list in verifySimple (or from the allowlist used
there) so the unreachable branch is deleted, leaving only the actually reachable
statement types referenced in verifySimple and ensuring no dead-case remains.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/util/sem/v2/restricted_statement.go`:
- Around line 206-219: GrantRoleStmt and RevokeRoleStmt currently only check
Roles but must also block operations that target restricted users similar to
SetDefaultRoleStmt; update the handlers for GrantRoleStmt and RevokeRoleStmt to
iterate over s.Users and call isRestrictedUser on each entry, returning
notSupported with an appropriate message if any target user is restricted. Use
the existing symbols GrantRoleStmt, RevokeRoleStmt, Users, Roles and
isRestrictedUser to locate the code and implement the additional check so
GRANT/REVOKE cannot modify restricted accounts' role sets.

---

Nitpick comments:
In `@pkg/util/sem/v2/restricted_statement.go`:
- Line 186: The switch in verifySimple contains an unreachable AdminStmt case
because IsRestrictedStatement already handles *ast.AdminStmt earlier; remove the
AdminStmt entry from the case list in verifySimple (or from the allowlist used
there) so the unreachable branch is deleted, leaving only the actually reachable
statement types referenced in verifySimple and ensuring no dead-case remains.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 04cdc6d4-3420-4138-9a0a-66f7a686f0a3

📥 Commits

Reviewing files that changed from the base of the PR and between 13a5fbe and f4b0816.

📒 Files selected for processing (3)

• pkg/util/sem/v2/restricted_statement.go
• pkg/util/sem/v2/restricted_statement_test.go
• tests/realtikvtest/pipelineddmltest/pipelineddml_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/realtikvtest/pipelineddmltest/pipelineddml_test.go

[AmoebaProtozoa]

/rerun

[AmoebaProtozoa]

/retest

[tiprow]

@AmoebaProtozoa: PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test.

Details

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ti-chi-bot]

[FORMAT CHECKER NOTIFICATION]

Notice: To remove the do-not-merge/needs-tests-checked label, please finished the tests then check the finished items in description.

For example:

Tests <!-- At least one of them must be included. -->

- [x] Unit test
- [ ] Integration test
- [ ] Manual test (add detailed scripts or steps below)
- [ ] No code

‼️ Must keep the HTML comments <!-- At least one of them must be included. -->

_{📖 For more info, you can check the "Contribute Code" section in the development guide.}

[AmoebaProtozoa]

/retest

[tiprow]

@AmoebaProtozoa: PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test.

Details

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.